See also...

Security

Introduction

At BloomReach, we take security very seriously. This page describes what to do if you discover a security issue in a BloomReach product, how BloomReach deals with security issues, and how to keep your implementation up-to-date with the latest security updates.

We have the following process in place to deal with security-related issues:

Report Issue
Any potentially harmful security issue must be reported by sending an e-mail to [email protected]. This e-mail address is continuously monitored by product stakeholders from several different departments within our company.

Assess Issue
The issue reported to [email protected] is assessed by the product stakeholders within one business day.

If the issue is assessed as being a potentially harmful security issue, it is entered in an internal issue tracking system and assigned to the appropriate team. The reporter is informed that the issue is under investigation.

If the issue is assessed as not being a security-related issue, the reporter is informed through a standard response that this is not the appropriate channel to report this issue. The issue is then forwarded to the helpdesk who will contact the reporter to discuss if further assistance is required.

Verify Issue
The team assigned to the issue verifies the reported behavior. The outcome of this effort (verified or not reproducible) is communicated to the reporter of the issue.

Fix Issue
The team assigned to the verified issue categorises the issue as major or minor. For major issues, i.e. issues with an OWASP rating of MEDIUM or higher, a dedicated hot-fix version is created. For minor issues, the fix is included in the next regular maintenance release.

Inform Customers
All BloomReach Experience Manager customers are informed about the security fix and encouraged to apply the hotfix or maintenance release as soon as possible.

Inform Community
The BloomReach Experience Manager community is informed about the security fix six weeks after informing our customers. For major issues, a fix equivalent to the hotfix is included in a regular maintenance release, and each fixed security issue is published on this site (see link below). This provides BloomReach Experience Manager customers with sufficient time to apply the hotfix or maintenance release before the security fix is made public. Once the major security fix is public, BloomReach Experience Manager customers can upgrade to the public maintenance release and drop the hotfix.

BloomReach Experience Manager customers are directly informed of new security updates and are provided with hotfixes. The BloomReach Experience Manager community is informed of new security updates through the page below and can upgrade to the latest maintenance release.